The Seventh Pile of Stuff
Proving your point unethically, my weight loss journey, and questions for you!
The Fine Line Between Research and Trolling
The threat of supply-chain attacks in software—a breach where an attacker first compromises a piece of software you get from a vendor, giving them the ability to then breach you—are real and serious. For example, the recent Solarwinds breach exposed a huge chunk of the US government and Fortune 500 to malicious hackers. Given the risks, it makes sense to want to understand how these attacks happen. Researchers at the University of Minnesota wanted to understand how hard it would be for bad actors to initiate a supply-chain attack against a critical piece of open source software like the Linux kernel, which powers just about every web server out there.
So they set about answering this question in the meanest way possible: with a supply-chain attack on the Linux kernel!1
The researchers submitted garbage patches in an attempt to see how hard it would be to get bogus code into the kernel. While they intended to reach out to maintainers to make sure none of the junk code actually got merged into the kernel, in a few cases it got through. In any event, the regular kernel maintainers are rightly angry about being experimented on like this and have banned the entire University of Minnesota from contributing to the Linux kernel.
I’m of two minds on this story. Obviously the University behavior was bad and they deserve the consequences of being banned from contributing to Linux. On the other hand, they very much proved that a bad actor could probably insert malicious code into the operating system powering much of our global Internet infrastructure. And the nasty hackers we should be worried about won’t waste time with an ethics review before their attempt.2
How I Lost 50 Pounds3
I’ve struggled with physical fitness my entire life. Growing up poor in the American South can do that to you. It’s taken years and years to undo the damage—physically and mentally—that being overweight can do to you.
I was always a nerdy guy. I was good at academics, not sports. And I guess years of being good at the one and not the other4 led to me believing that being fat was fine. Nerdy guys like me weren’t fit. Don’t even try.
But of course that’s nonsense. It took me a long time to discover that not only could I eat healthy and be athletic, but I could enjoy it just as much I enjoy coding or playing video games.
There’s so much I wish I’d known long ago. So much I wish I’d done for myself. I wrote this account of my weight loss journey, in the hopes that it can be inspirational to someone who finds themself in a situation similar to my own. This is a very personal thing for me to share, and I won’t pretend I’m not nervous about sharing it. But if it’s useful to even one other person, then I’ll know I was right to write it down.
Reader Survey
I’ve been sending this newsletter for a couple of months now. I’ve really enjoyed sharing interesting things with you and the conversations that it’s sparked.
I’d like to ask for some feedback so that I can make this newsletter ever better in the months ahead. It would help a lot if you fill out this quick survey about what you did or did not find interesting. While I’m not exactly trying to build a personal brand or anything, I do want to make sure I’m piquing your interest and not wasting your time. Please give me your honest feedback!i
Somehow this got approved by an institutional review board as not being unethical. I would not want to be a member of that IRB right now.
As part of my job, I send out test phishing emails to train people what to beware of. When COVID-19 first became a thing, you started seeing phishing emails about it. Things like “email from HR with list of infected coworkers”—something that’s very tempting to click. A lot of infosec people said that sending out tests copying these COVID phishing emails was a bad idea. It was cruel, taking advantage of people during a difficult time. It breaks trust between the security teams and regular employees.
But I absolutely sent out those COVID-themed test phishes, because the bad guys don’t care about ethics. My colleagues needed to know. They needed to see what the real stuff looks like so they’d be prepared. To quote imposter Mad-Eye Moody: “Constant vigilance!”
Pound the unit of weight, not pounds the currency.
The standard American diet was also a major contributor…